javax.ejb.EJBAccessException: Caller unauthorized

Question

I encountered above exception after migrating an application from QuartzMDB with quartz-ra.rar to EJB Timers in Jboss AS 6.1 . (As a part of upgrading application to wildfly 8.1)

Exception is occurred at a job that uses following ejb.

@Stateless
@TransactionAttribute(TransactionAttributeType.REQUIRED)
@RolesAllowed({"admin"})
public class PlatformPluginBean implements PlatformPluginRemote {

    // some code here

    public Collection<PlatformPlugin> getPlugins() {
        return new ArrayList<PlatformPlugin>(schemaToPlugin.values());
    }

}

Following is the job before migration which worked fine.

@MessageDriven(activationConfig = {
    @ActivationConfigProperty(propertyName = "cronTrigger", propertyValue = "0 0 * * * ?"),
    @ActivationConfigProperty(propertyName = "jobName", propertyValue = "PruneJob")})
@ResourceAdapter("quartz-ra.rar")
@RunAs("admin")
public class PruneJob implements Job {

    @EJB
    private PlatformPluginRemote platformPluginRemote;

    @Override
    public void execute(JobExecutionContext jobExecutionContext) throws JobExecutionException {

        for (PlatformPlugin platformPlugin: platformPluginRemote.getPlugins()) {
            // some stuff here
        }
    }
}

Following is the job after changing to ejb auto timer.

@Stateless
@RunAs("admin")
public class PruneJob {

    @EJB
    private PlatformPluginRemote platformPluginRemote;

    @Schedule(hour="*", minute="0", persistent=false)
    public void execute() {

        for (PlatformPlugin platformPlugin: platformPluginRemote.getPlugins()) {
            // some stuff here
        }
    }
}

The exception is occurred at platformPluginRemote.getPlugins() call.

Federico Sierra · Answer 1 · 2015-03-26T15:51:58.343

There's this issue reported in JBoss 5 which also affects jboss as 6.1, to fix it you can add in file JBOSS_HOME/serve/<instance>/deploy/ejb3-interceptors-aop.xml the org.jboss.ejb3.security.RunAsSecurityInterceptorFactory interceptor:

eg:

<! - The additional MDB specific ones ->
<interceptor-ref name = "org.jboss.ejb3.ENCPropagationInterceptor" />
<interceptor-ref name = "org.jboss.ejb3.security.RunAsSecurityInterceptorFactory" />
<interceptor-ref name = "CMTTx" />
<interceptor-ref name = "org.jboss.ejb3.stateless.StatelessInstanceInterceptor" />
<interceptor-ref name = "org.jboss.ejb3.tx.BMTTxInterceptorFactory" />
<interceptor-ref name = "org.jboss.ejb3.AllowedOperationsInterceptor" />
<interceptor-ref name = "org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor" />

In practice it has presented me some problems, not all invocations the role is propagated and some times authorization error occurs.

Alternatively you can use Subject.doAs() in execute() method of the MDB. Do not forget to add the login module ClientLoginModule in your security domain.

Thanks for the info, But I am trying this on **Jboss AS 6.1 not 7.2** — Kosala Almeda, Jan 22 '15 at 03:49
@KosalaAlmeda Yes you're right, was an error of interpretation of the question. See my answer again. — Federico Sierra, Jan 22 '15 at 16:08

score 0 · Accepted Answer · answered Jan 23 '15 at 05:31

0

@RunAs("admin") annotation doesn't seem to work for some reason (jboss bug?)

Same can be done by adding following code before the call to ejb.

SecurityContextAssociation.getSecurityContext().setOutgoingRunAs(new RunAsIdentity("admin", "admin"));

answered Jan 23 '15 at 05:31

Kosala Almeda

1
3

javax.ejb.EJBAccessException: Caller unauthorized

2 Answers2